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We perform a probabilistic analysis of onion routing. The analysis is presented in a black-box model of 
anonymous communication in the Universally Composable framework that abstracts the essential properties 
of onion routing in the presence of an active adversary who controls a portion of the network and knows all 
a priori distributions on user choices of destination. Our results quantify how much the adversary can gain 
in identifying users by exploiting knowledge of their probabilistic behavior. In particular, we show that, in 
the limit as the network gets large, a user u’s anonymity is worst either when the other users always choose 
the destination u is least likely to visit or when the other users always choose the destination u chooses. This 
worst-case anonymity with an adversary that controls a fraction b of the routers is shown to be comparable 
to the best-case anonymity against an adversary that controls a fraction \/&. 

Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General — security 
and protection ; C.2.4 [Computer-Communication Networks]: Distributed Systems — Distributed appli- 
cations: ; K.4.1 [Computers and Society]: Public Policy Issues — privacy ; G.3 [Probability and Statistics]: 
probabilistic algorithms 

General Terms: Security, Theory 
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1. INTRODUCTION 

Every day, half a million people use the onion-routing network Tor [Dingledine et al. 
2004] to anonymize their Internet communication. However, the effectiveness of this 
service, and of onion routing in general, is not well understood. The approach we take 
to this problem is to model onion routing formally all the way from the protocol details 
to the behavior of the users. We then analyze the resulting system and quantify the 
anonymity it provides. Key features of our model include i) a black-box abstraction in 
the Universally Composable (UC) framework [Canetti 2000] that hides the underlying 
operation of the protocol and it) probabilistic user behavior and protocol operation. 

Systems for communication anonymity generally have at most one of two desirable 
properties: provable security and practicality. Systems that one can prove secure have 
used assumptions that make them impractical for most communication applications. 
Practical systems are ultimately the ones we must care about, because they are the 
ones that will actually be used. However, their security properties have not been rig- 
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orously analyzed or even fully stated. This is no surprise, because practical anonymity 
systems have been deployed and available to study for perhaps a decade, while prac- 
tical systems for communications confidentiality and/or authenticity have been in use 
almost as long as there have been electronic communications. It often takes a while for 
theory and practice to catch up to each other. 

Of the many anonymous-communication design proposals ( e.g . [Chaum 1981; 1988; 
Reiter and Rubin 1998; Beimel and Dolev 2003; Nambiar and Wright 2006; Corrigan- 
Gibbs and Ford 2010]), onion routing [Goldschlag et al. 1996] has had notable success 
in practice. Several implementations have been made [Goldschlag et al. 1996; Syverson 
et al. 2000; Dingledine et al. 2004], and there was a similar commercial system, Free- 
dom [Goldberg and Shostack 2001]. As of October 2011, Tor [Dingledine et al. 2004], 
the most recent iteration of the basic design, consists of about 3000 routers, provides a 
total bandwidth of over 1000 MB/s, and has an estimated total user population of about 
500,000 [Loesing et al. 2011]. Because of this popularity, we believe it is important to 
improve our understanding of the protocol. 

Onion routing is a practical anonymity -network scheme with relatively low overhead 
and latency. Users use a dedicated set of onion routers to forward their traffic, obscur- 
ing the relationship between themselves and their destinations. To communicate with 
a destination, a user selects a sequence of onion routers and constructs a circuit, or per- 
sistant connection, over that sequence. Messages to and from the destination are sent 
over the circuit. Onion routing provides two-way, connection-based communication and 
does not require that the destination participate in the anonymity-network protocol. 
These features make it useful for anonymizing much of the communication that takes 
place over the Internet today, such as web browsing, chatting, and remote login. Thus, 
formal analysis and provable anonymity results for onion routing are significant. 

As a step toward the overall goal of bridging the gap between provability and practi- 
cality in anonymous-communication systems, we have formally modeled and analyzed 
relationship anonymity [Pfitzmann and Hansen 2000; Shmatikov and Wang 2006] in 
Tor. Although this provides just a small part of the complete understanding of practical 
anonymity at which our research program is aimed, already it yields nontrivial results 
that require delicate probabilistic analysis. We hope that this aspect of the work will 
spur the Theoretical Computer Science community to devote the same level of atten- 
tion to the rigorous study of anonymity as it has to the rigorous study of confidentiality. 

1.1. Summary of Contributions 

Black-box abstraction. In the present paper, we treat the network simply as a “black 
box” 1 to which users connect and through which they communicate with destinations. 
The abstraction captures the relevant properties of a protocol execution that the ad- 
versary can infer from his observations - namely, the observed users, the observed des- 
tinations, and the possible connections between the two. In this way, we abstract away 
from much of the design specific to onion routing so that our results apply both to onion 
routing and to other low-latency anonymous-communication designs. We express the 
black-box model within the Universally Composable (UC) security framework [Canetti 
2000], which is a standard way to express the function and security properties of cryp- 
tographic protocols. We tie our functionality to the guarantees of an actual protocol 
by showing it reveals as much information about users’ communication as the onion 
routing protocol we formalized [Feigenbaum et al. 2007] in an I/O-automata model. 


1 We note that our use of a “black box” is slightly different than the more common uses in the literature. 
Black-box access to some cryptographic primitives is commonly used as a starting point to achieve some 
other desired functionality. Here we show how, for purposes of anonymity analysis, we need only consider a 
black-box abstraction. 
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Moreover, we discuss how the functionality can be a protocol within the UC frame- 
work itself. 

Probabilistic model. Our previous analysis in the I/O-automata model was possi- 
bilistic, a notion of anonymity that is simply not sensitive enough. It makes no dis- 
tinction between communication that is equally likely to be from any one of a hundred 
senders and communication that came from one sender with probability .99 and from 
each of the other 99 senders with probability .000101. An adversary in the real world 
is likely to have information about which scenarios are more realistic than others. In 
particular, users’ communication patterns are not totally random. When the adversary 
can determine with high probability, e.g. , the sender of a message, that sender is not 
anonymous in a meaningful way. 

Using this intuition, we include a probability measure in our black-box model. In 
this probability measure, each user chooses a destination according to some probability 
distribution. We model heterogeneous user behavior by allowing this distribution to be 
different for different users. We also assume that the users choose their circuits by 
selecting the routers on it independently and at random. 

Bounds on anonymity. We analyze relationship anonymity [Pfitzmann and Hansen 
2000; Shmatikov and Wang 2006] in our onion routing model. Relationship anonymity 
is obtained when the adversary cannot identify the destination of a user. The adversary 
can infer a probability distribution for a user’s destination given the adversary’s obser- 
vations. We consider the probability assigned to the correct destination as a measure of 
anonymity. To be more precise, because this probability depends on the choices of the 
other users and thus has its own distribution, we will use its expectation as our met- 
ric. Moreover, this expectation depends on the other users’ destination distributions. 
If their distributions are very different from that of the given user, the adversary may 
have an easy time separating out the actions of the user. If they are similar, the user 
may more effectively hide in the crowd. We provide the following results on a user’s 
anonymity and its dependence on other user behavior: 

(1) We show that a standard approximation to our metric provides a lower bound on 
it (Thm. 3.3). 

(2) We show that the worst case for anonymity over other users’ behavior is when 
every other user either always visits the destinations the user is otherwise least 
likely to visit or always visits his actual destination (Cor. 3.7). The former will be 
the worst case in most situations. 

(3) We give an asymptotic expression for our metric in the worst cases (Thm. 3.6). The 
limit of this expression in the most common worst case with an adversary control- 
ling a fraction b of the network is equal to the lower bound on the metric when the 
adversary controls a larger fraction \fb of the network. This is significantly worse 
than the standard analysis suggested, and shows the importance of carefully con- 
sidering the adversary’s knowledge of the system. 

(4) We consider anonymity in a more typical set of user distributions in which each 
user selects a destination from a common Zipfian distribution. Because the users 
are identical, every user hides well among the others, and we show that, as the 
user population grows, the anonymity approaches the lower bound (Thm. 4). This 
shows you may be able to use the standard approximation with accurate results if 
you are able to make assumptions about user behavior. 

1.2. Organization of Paper 

We present the details of our black-box model and our anonymity metric in Section 2. 
In that section we also justify the model by showing how its results provably relate 
to results in more detailed protocol formalizations ([Feigenbaum et al. 2007; Backes 
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upon receiving d € A from u € U 

x \ 

[ u with probability b 
1 J_ with probability 1 — 6 
d with probability b 
J_ with probability 1 — 6 

y <j 

send 

(x, y) to the adversary 


Fig. 1. Black-box ideal functionality Tor 


et al. 2012]). Section 3 presents our results bounding anonymity in our model. Sec- 
tion 4 presents an approximation for anonymity under an additional assumption about 
typical user behavior. Section 5 describes related work in this area. Finally, we sum up 
and discuss future research directions in Section 6. 

2. TECHNICAL PRELIMINARIES 
2.1. Model 

We describe our analysis of onion routing in terms of an ideal functionality in the Uni- 
versal Composability framework [Canetti 2000] We use such a functionality for three 
reasons: First, it abstracts away the details that aren’t relevant to anonymity, second, 
the UC framework provides the notion of UC emulation, which captures exactly when 
our analysis applies to a cryptographic protocol, and third, it immediately suggests 
ways to perform similar analyses of other anonymous-communication protocols that 
may not strictly provide this functionality. 

Let U be the set of users with \U\ = n. Let A be the set of destinations. Let R be 
the set of onion routers. Let Tor be the ideal functionality. Tor takes the set A C R 
of compromised routers from the adversary at the beginning of the execution 2 . Let 
6 = \A\/\R\. The black-box functionality is given in Figure 2.1. When user u forwards 
his input from the environment to Tor, the functionality checks to see if it is some 
d G A. If so, T 0 r notifies the adversary of the connection and includes the source with 
probability b and the destination with probability b. 

To analyze the anonymity provided by the ideal functionality, we make two assump- 
tions about the inputs from the environment. First, we assume that the environment 
selects the destination of user u from a distribution p" over A, where we denote the 
probability that u chooses d as p' f j. Second, we assume that the environment sends a 
destination to each user. Note that these assumptions need not be made when showing 
that a protocol UC-emulates Tor- 

We refer to the combination of the adversary model, the assumptions about the en- 
vironment, and the ideal functionality as the black-box model. Let C be the relevant 
configuration resulting from an execution. C includes a selection of a destination by 
each user, Cd '■ U -» A, a set of users whose inputs are observed, C7 : U — > {0, 1}, and 
a set of users whose outputs are observed, Co ■ U — > {0, 1}. A user’s input, output, and 
destination will be called its circuit. 

For any configuration, there is a larger set of configurations that are consistent with 
the outputs that the adversary receives from Tor- We will call two configurations in- 
distinguishable if the set of messages (x, y) revealed to the adversary are the same. We 
use the notation C « C to indicate that configurations C and C are indistinguishable. 

Our ideal functionality models anonymous communication over some period of time. 
It takes as input from each user the identity of a destination. For every such connection 


2 The adversary compromises routers only because a compromised user has no anonymity and is effectively 
removed from the set of users U for purposes of deanonymization 
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between a user and destination, the functionality may reveal to the adversary identity 
of the user, the identity of the destination, or both. Revealing the user corresponds 
in onion routing to the first router in the circuit being compromised, and revealing 
the destination corresponds to the last router being compromised. The adversary cap- 
tured in our model is computationally bounded, controls a fixed set of routers, and can 
actively attack the protocol. That such an attacker can sometimes learn the source 
and destination and can link them together is motivated by the results in [Feigen- 
baum et al. 2007], which we explicitly relate to our ideal functionality in Sec. 2.4. 
We note that we include only information flow to the adversary in this functionality 
rather than try to capture the type of communication primitive offered by onion routing 
because our focus is analyzing anonymity rather than defining a useful anonymous- 
communication functionality. This model is reminiscent of the general model of anony- 
mous communication used by Kesdogan et al. [2002] in their analysis of an intersection 
attack. However, we do make a few assumptions that are particularly appropriate for 
onion routing. 

First, the functionality allows the adversary to know whether or not he has directly 
observed the user. This is valid under the assumption that the initiating client is not 
located at an onion router itself. This is the case for the vast majority of circuits in Tor 
and in all significant deployments of onion routing and similar systems to date. We 
discuss this assumption further in Section 6. 

Second, we assume that every user is responsible for exactly one connection in a 
round. Certainly users can communicate with multiple destinations simultaneously 
in actual onion-routing systems. However, it seems likely that in practice most users 
have at most some small (and fixed-bound) number of active connections at any time. 
To the extent that multiple connections are only slightly more likely to be from the 
same user than if all connections were independently made and identically distributed, 
this is a reasonable approximation. This is increasingly true as the overall number of 
connections grows. To the extent that multiple connections are less likely to be from 
the same user this is a conservative assumption that gives the adversary as much 
power to break anonymity as the limited number of user circuits can provide. 

Third, the functionality omits the possibility that the adversary observes the user 
and destination but does not recognize that those observations are part of the same 
connection. This is another conservative assumption that is motivated by the exis- 
tence of timing attacks that an active adversary can use to link traffic that it sees at 
various points along its path through the network [Syverson et al. 2000]. In a timing 
attack, the adversary observes the timing of the messages going into the onion-routing 
network and matches them to similar patterns of messages coming out of the onion- 
routing networks slightly later. Such attacks have been experimentally demonstrated 
[0verlier and Syverson 2006; Bauer et al. 2007] and are easy to mount. 

Our model captures several different flavors of onion routing (e.g. [Goldschlag et al. 
1996; Dingledine et al. 2004; Overlier and Syverson 2007; Kate et al. 2007]) and possi- 
bly some related protocols. Some onion-routing variants, however, do not seem to map 
well into the abstraction. We discuss this in more detail in Section 5. 

Note that our model does not capture several known attacks on anonymity in onion 
routing. In particular, it does not include attacks exploiting resource interference [Mur- 
doch and Danezis 2005; Murdoch 2006], heterogeneity on network latency [Hopper 
et al. 2010], correlated destinations between rounds, and identifying patterns of com- 
munication [Herrmann et al. 2009]. We do not include such attacks primarily to focus 
on the most important threats to anonymity, because many of the omitted attacks are 
attacks on underlying systems rather than on the protocol (e.g., interference) or have 
limited effectiveness or are mitigated by improvements to the protocol. Also, we see 
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the analysis of our simplified model as a first step in establishing rigorous guarantees 
of anonymity in increasingly realistic models. 

2.2. Probabilistic Anonymity 

A user performs an action anonymously in a possibilistic sense if there is an indistin- 
guishable configuration in which the user does not perform the action. For example, 
under this definition a user with observed output but unobserved input sends that out- 
put anonymously if there exists another user with unobserved input. The probability 
measure we have added to configurations allows us to incorporate the degree of cer- 
tainty that the adversary has about the subject of an action. After making observations 
in the actual configuration, the adversary can infer a conditional probability distribu- 
tion on configurations. There are several candidates in the literature for assessing an 
anonymity metric from this distribution. The probabilistic anonymity metric that we 
use is the posterior probability of the correct subject. The lower this is, the more anony- 
mous we consider the user. In part, we use this metric because it is simple. Also, any 
statements about entropy and maximum probability metrics only make loose guaran- 
tees about the probability assigned to the actual subject, a quantity that clearly seems 
important to the individual users. 

Observe that this choice assumes that the adversary has perfect prior information 
about the system. He may not actually know the underlying probability measure, how- 
ever. In particular, it doesn’t seem likely that the adversary would know how every 
user selects destinations. In our analysis, we take a worst-case view and assume that 
the adversary knows the distributions exactly. Also, over time he might learn a good 
approximation of user behavior via the long-term intersection attack [Danezis and Ser- 
jantov 2004]. In this case, it may seem as though anonymity has been essentially lost 
anyway. However, even when the adversary knows how a user generally behaves, the 
anonymity network may make it hard for him to determine who is responsible for any 
specific action, and the anonymity of a specific action is what we are interested in. 

2.3. Relationship Anonymity 

We analyze the relationship anonymity of users and destinations in our model, that is, 
how well the adversary can determine if a user and destination have communicated. 
Our metric for the relationship anonymity of user u and destination d is the posterior 
probability ip that u chooses d as his destination. We study ip directly, although the 
anonymity of a user’s communication with a destination isl — ip. 

Using the posterior probability makes sense in this context because it focuses on the 
information that users are trying to hide — their actual destinations — without being 
affected by information the adversary learns about other destinations. Onion routing 
does leak information, and using a metric such as the entropy of the posterior distribu- 
tion or the statistical distance from the prior may not give a good idea of how well the 
adversary can correctly guess the user’s behavior. Designers may wish to know how 
well a system protects communications on average or overall. But it is also important 
for a user to be able to assess how secure he can expect a particular communication 
to be in order to decide whether to create it or not. This is the question we address. 
Moreover, the metric is relatively simple to analyze. Furthermore, to the extent that 
the user may not know how he fits in and thus wishes to know the worst risk for any 
user, that is just a lower bound on our metric. 

The relationship anonymity of u and d varies with the destination choices of the 
other users and the observations of the adversary. If, for example, us output is ob- 
served, and the inputs of all other users are observed, then the adversary knows 
us destination with probability 1. Because we want to examine the relationship 
anonymity of u conditioned only on his destination, we end up with a distribution 


ACM Transactions on Information and System Security, Vol. V, No. N, Article A, Publication date: January YYYY. 



Probabilistic Analysis of Onion Routing in a Black-box Model A:7 

on the anonymity metric. We look at the expectation of this distribution. Moreover, 
because this distribution depends on the destination distributions of all of the users, 
we continue by finding the worst-case expectation in the limit for a given user and 
destination and then examine the expectation in a more likely situation. 

2.4. Emulating the Ideal Functionality 

The anonymity analysis of the ideal functionality Tor that we perform in Sections 3 
and 4 is meaningful to the extent that Tor captures the information that an adversary 
can obtain by interacting with onion-routing protocols. We justify the functionality pri- 
marily by showing that it provides the same information about the source of a given 
connection as does onion-routing as captured in our previous formalization [Feigen- 
baum et al. 2007]. Furthermore, we describe separate work showing that Tor. can be 
UC-emulated by an onion-routing protocol. 

Relationship to l/O-automata model. We have formalized onion routing using an I/O- 
automata model [Lynch 1996] and an idealization of the cryptographic properties of 
the protocol [Feigenbaum et al. 2007]. Their analysis identifies the user states that are 
information-theoretically indistinguishable. The black-box model we provide herein is 
a valid abstraction of that formalization because, under some reasonable probability 
measures on executions, it preserves the relationship-anonymity properties. 

The I/O-automata model includes a set of users U, a set of routers R, an adversary 
AC R, and a set of destinations A, where we take the final router in the I/O-automata 
model to be the destination and assume that it is uncompromised. A configuration C in 
the I/O-automata model is a mapping from each user u G U to a circuit (r“, . . . , rf) G R 1 , 
a destination d u G A, and a circuit identifier «" G N + . An execution is a sequence of 
I/O-automaton states and actions, which must be consistent with the configuration. 

Let users in the I/O-automata model choose the other routers in their circuits uni- 
formly at random and choose the destination according to user-specific distributions. 
Given these circuits and a set of adversary automata, we have previously identifed 
[Feigenbaum et al. 2007] an equivalence class of circuit and destination choices with 
respect to which, for every pair of configurations in the class, a bijection exists be- 
tween their executions such that paired executions are indistinguishable. Let the in- 
distinguishable executions thus paired have the same probability, conditional on their 
configuration. 

Given this measure, the black-box model that abstracts the I/O-automata model has 
the same user set U, the same destination set A, an adversary parameter of 6 = |A|/|f?|, 
and the same destination distributions. The following theorem shows that each pos- 
terior distribution on the destinations of users has the same probability under both 
the I/O-automata model and its black-box model. Let E be a random I/O-automata 
execution. Let X a be a random I/O-automata configuration (X a can be viewed as a 
function mapping a random execution to its configuration). Let X b be a random black- 
box configuration. Let ipi(u,d, E) be the posterior probability that u visited d in the 
I/O-automata model, i.e., the conditional given that the execution is indistinguishable 
from E. Let ip 2 (u, d,X b ) be the posterior probability that u visited d in the black-box 
model, i.e., the conditional distribution given that the configuration is indistinguish- 
able from X b . Let ipo(u, d) be a distribution over destinations d for every u. 

Theorem 2.1. 

Prft ue u,deA'di{u,d, E) = ip 0 (u,d)\ = Pr[\/ uGU ^eAi> 2 (u, d, X b ) = i/j 0 (u,d)\ 

PROOF. Let (j> be the map from I/O-automata configurations to black-box configura- 
tions such that 

( 1 ) <j>(C) D (u) = d“ 
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( 2 ) HChM = { l 

(3) main) = { J S er e w t e • 

( l i essentially “quotients out” the specific router choices of each user, retaining the com- 
promised status of the first and last routers as well as the destination. It allows us to 
relate the posterior ipi in the I/O-automata model to the Pi in the black-box model. 

Let C“ be any I/O-automata configuration. Given any execution e of C“, the adver- 
sary’s posterior probability on configurations is 

Pr[X a = C$] 

E C .« Cf Pr[* a = C*] 

if C% ~ C" and 0 otherwise, because we set equal the probability of two executions that 
are paired with each other in the bijection on executions constructed in Feigenbaum 
et al. [2007]. Because the configurations determine which destination each user visits, 
the distribution d, e) can be determined from the posterior distribution on config- 
urations. Notice that this distribution only puts positive probability on the set C° of 
configurations that are indistinguishable from (7f . 

The posterior distribution on I/O-automata configurations induces a posterior distri- 
bution on black-box configurations via </>. (j> preserves the destination of each user, and 
so the distribution ipi (u. d. e) can be determined from this distribution on black-box 
configurations. Notice that this distribution only puts positive probability on the set of 
black-box configurations <b(C ) that are mapped to by I/O-automata configurations in 
C a . 

To understand the set <P(C a ) and its posterior distribution given e, consider the equiv- 
alence class C b of the configuration M €."{ )■ Let S be those configurations in C a that differ 
from C\’ only in the destinations and the permutation of users. From Theorems 1 and 
2 in [Feigenbaum et al. 2007], it follows that 4> is a bijection between S and C b . The pos- 
terior probability of each C% € S is proportional to Pr[X b — (p(C'b)\ because the prior 
probability of C% is Pr[X b = )] multiplied by the probability of selecting its given 

routers (which are the same for all s e S) given that <j>(X a ) = <p(Cb). Moreover, all of 
the other configurations in C a are reached by changing the unobserved routers of one 
of the configurations in S. <f> is invariant under such a change. Also, the posterior prob- 
ability is invariant under such a change because the routers are chosen independently 
and uniformly at random. Furthermore, the number of I/O-automata configurations 
that are reached by such a change from some s € S' is the same for all s. Therefore, the 
posterior probability Pr[cj>(X a ) = C , je] is proportional to Pr[X b = C b ] for C b £ C b , and 
is zero otherwise. Therefore, ipi(u, d, e) = ip 2 {u, d, </>(C“)). 

By this equality, the probability that a random execution E results in a given poste- 
rior ibo{u, d) is equal to the probability that the I/O-automata configuration X" maps 
under ^ to a black-box configuration cj)(X a ) = C b such that ijj 2 {u,d,C b ) = ip 0 (u,d). 
The probability Pr[(f>(X a ) = G' , j is equal to Pr[X b = C b ] because the probability of 
first-router compromise and the probability of an input being observed are both b, last- 
router compromise and an output being observed are both independent events with 
probability b, and user destinations are chosen independently in both models and fol- 
low the same distributions. Therefore, 


Prft ue u !de Ai>i(u,d, E) = ip 0 {u,d)] = Pr\V u eu,deAip2{u, d, X) = V’o (u,d)\. 


□ 
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UC emulation. Expressing our black-box model within the UC framework allows it 
to be compared to protocols expressed within the same framework. In particular, if a 
protocol can be shown to UC-emulate Tor, then, making only common cryptographic 
assumptions, the adversary can make only negligibly better guesses about users’ com- 
munication when interacting with that protocol than he can interacting with the func- 
tionality. Backes et al. [2012] show that such an argument can indeed be made. They 
give an onion-routing protocol, show that it UC-emulates our black-box functionality, 
and use this result to apply our results about anonymity to their system. For UC emu- 
lation, it must be shown that an adversary cannot determine whether he is interacting 
with the actual protocol or with a simulator that is itself only interacting with the ideal 
functionality. Emulation of To r by an onion-routing protocol is achieved with a simula- 
tor that makes all of the protocol decisions left undetermined by the interface. That is, 
given partial information about a new connection from Tor, the simulator chooses an 
onion-routing circuit consistent with that information and simulates the construction 
of that circuit. 

3. EXPECTED ANONYMITY 

Let the set C of all configurations be the sample space and X be a random configura- 
tion. Let be the posterior probability of the event that u chooses d as a destination, 
that is, 'I'(C') = Pr\X d{u) = d\X « C\. is our metric for the relationship anonymity 
of u and d. 

Let N a represent the set of multisets over A. Let p(A°) be the maximum number of 
orderings of A 0 e N A such that the same destination is in any given location in every 
ordering: 

p(A 0 )=ni{<5eA°}|! 

<5eA 

Let n (A,B) be the set of all injective maps A —> B. The following theorem gives 
an exact expression for the conditional expectation of T in terms of the underlying 
parameters U, A, p, and 6: 

Theorem 3.1. 

E[*\X D (u) =d\ = 6(1 - b)p u d + 6 2 + 

|S , | + |A°|( 1 _ 6 )2|S| — |A°|. 

SCU'.ueS A°6N a :|A°|<5 

E E ps n !>;<„) 

TCS-u:|T| = |A°|-l 7ren(T+u,A°):7r(u)=d vGT 

+ E E P d II P*(v) 

TCS-u:|T| = |A°| 7ren(T,A°) vGT 

[p(A°)] _i (Pd) _i ( e e n^)i a) 

\TCS:|T| = |A°| ttSIRT.A 0 ) vG T J 

Proof. At a high level, the conditional expectation of T can be expressed as: 

E[T|A i3 (u) = d] = E Pr [^ = Cj X D (u) = d]^(C). 
cec 
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We calculate for a configuration C by finding the relative weight of indistinguish- 
able configurations in which u selects d. The adversary observes some subset of the 
circuits. If we match the users to circuits in some way that sends users with observed 
inputs to their own circuits, the result is an indistinguishable configuration. Similarly, 
we can match circuits to destinations in any way that sends circuits on which the 
output has been observed to their actual destination in C. 

The value of 'k (C) is especially simple if us input has been observed. If the output 
has not also been observed, then T(C) = p%. If the output has also been observed, then 
'h(C) = l. 

For the case in which us input has not been observed, we have to take into account 
the destinations of and observations on the other users. Let S C U be the set of users 
s such that C7(s) = 0. Note that u e S. Let A 0 be the multiset of the destinations of 
circuits in C on which the input has not been observed, but the output has. 

Let fo(S, A 0 ) be the probability that in a random configuration the set of unobserved 
inputs is S and the set of observed destinations with no corresponding observed input 
is A 0 : 

fo(S, A 0 ) = - &) 2 I SHA °I [KA 0 )]- 1 E E II Pl(vy 

TCS:|T| = |A°| 7ren(T,A») vGT 

Let f\ (S, A 0 ) be the probability that in a random configuration the set of unobserved 
inputs is S, the set of observed destinations with no corresponding observed input is 
A 0 , the output of u is observed, and the destination of u is d: 


fi(S, A 0 ) = b n ~ l s l+l A °l( 1 - 6) 2|s| - |A ° l [p(A°)]- 1 Pd- 

E E n*w 

TCS-u:|T| = |A°|-l 7ren(T+tt,A°):7r(M)=d veT 

Let f 2 (S, A 0 ) be the probability that in a random configuration the set of unobserved 
inputs is S, the set of observed destinations with no corresponding observed input is 
A 0 , the output of u is unobserved, and the destination of u is d: 

f 2 (S, A 0 ) = 5"-I s I+I a °I( 1 _ 6) 2 l s l-l A °l[ (O (A 0 )]- 1 Pd- 

E E n*w 

TCS-u:|T| = |A-| 7ren(T,A°) veT 

Now we can express the posterior probability ’3/(C) as: 

= / l( 5,A°) + / 2 (5.A°) 

' ’ /o(S,A») 

The expectation of is a sum of the above posterior probabilities weighted by their 
probability. The probability that the input of a has been observed but the output hasn’t 
is 6(1 — b). The probability that both the input and output of u have been observed is 
b 2 . These cases are represented by the first two terms in Equation 1. 

When the input of u has not been observed, we have an expression of the posterior 
in terms of sets S and A 0 . The numerator (/i + / 2 ) of Equation 2 itself actually sums 
the weight of every configuration that is consistent with S, A 0 , and the fact that the 
destination of u is d. However, we must divide by p' r j, because we condition on the event 
{X D (u) = d}. 

These observations give us the remaining terms in Equation 1. □ 
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3.1. Simple approximation of conditional expectation 

The expression for the conditional expectation of T in Equation 1 is difficult to inter- 
pret. It would be nice if we could find a simple approximation. The probabilistic anal- 
ysis in Syverson et al. [2000] proposes just such a simplification by reducing it to only 
two cases: i) the adversary observes the user’s input and output and therefore iden- 
tifies his destination, and ii) the adversary doesn’t observe these and cannot improve 
his a priori knowledge. The corresponding simplified expression for the expection is: 

E{y\X D (u)=d}^b 2 + {l-b 2 )p u d . (3) 

This is a reasonable approximation if the final summation in Equation 1 is about 
(1 — b)p d . This summation counts the case in which us input is not observed, and 
to achieve a good approximation the adversary must experience no significant advan- 
tage or disadvantage from comparing the users with unobserved inputs (S) with the 
discovered destinations (A 0 ). 

The quantity (1 — b)p d does provide a lower bound on the final summation. It may 
seem obvious that considering the destinations in A 0 can only improve the accuracy 
of adversary’s prior guess about u’s destination. However, in some situations the pos- 
terior probability for the correct destination may actually be smaller than the prior 
probability. This may happen, for example, when some user v, v ^ u, communicates 
with a destination e, e / d, and only u is a priori likely to communicate with e. If the 
adversary observes the communication to e, it may infer that it is likely that u was 
responsible and therefore didn’t choose d. 

It is true, however, that in expectation this probability can only increase. Therefore 
Equation 3 provides a lower bound on the anonymity metric. 

The proof of this fact relies on the following lemma. Let £ be an event in some finite 
sample space Q. Let Ai , . . . , A n be a set of disjoint events such that £ C [J i A-,, and let 
A J = [Ji=i Ai- Let £i = £ n^. Finally, let Y(to) = J2i 1 e i (^)P'r[£i\/Pr[A i \ (where l e . is 
the indicator function for £,). Y(uj) is thus the conditional probability Pr\£\Ai], where 
to G £[• 

Lemma 3.2. Pr[£\A n ] < E[Y\£ ] 

Proof. 


by a simple rewriting 

2 


by the Cauchy-Schwartz inequality 


□ 

Theorem 3.3. E[^\X D (u) = d]>b 2 + ( 1 - b 2 )p% 

PROOF. As described in the proof of Theorem 3.1: 

E[^\X d {u) =d} = b' 2 + 6(1 - b)p u d + (1 - b)E[y\X D (u) = d A Xj(u) = 0], 

To apply Lemma 3.2, take the set of configurations C to be the sample space Q. Take 
{X D (u) = d} to be the event £. Take the indistinguishability equivalence relation to 
be the sets A,. Finally, take 'k to be Y. Then the lemma shows that E\'&\X D (u) = 
dAX T (u) = 0] >p u d . □ 


Pr[£\A n ] = 


_ Pr [£ ] 
Pr[A n ] 

E; - 


rleJ'/PrlAj 

YpYX] 


< 


Pr[A n ]Pr[£] 


Pr[A n ]Pr[£] 

(Pr\£j }) 2 


i Pr[Ai]Pr[E] 

= E[Y\£] 
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3.2. Worst-case Anonymity 

To examine the accuracy of our approximation, we look at how large the final summa- 
tion in Equation 1 can get as the users’ destination distributions vary. Because this 
is the only term that varies with the other user distributions, this will also provide a 
worst-case guarantee on expected anonymity metric. Our results will show that, in the 
limit as the number of users grows, the worst case can occur when the users other than 
u act as differently from u as possible by always visiting the destination u is otherwise 
least likely to visit. Less obviously, we show that the limiting maximum can also occur 
when the users other than u always visit d. This happens because it makes the adver- 
sary observe destination d often, causing him to suspect that u chose d. Our results 
also show that the worst-case expectation is about b + (1 — b)p d , which is significantly 
worse than the simple approximation above. 

As the first step in finding the maximum of Equation 1 over (p v ) v ^ u , we observe that 
it is obtained when every user v ^ u chooses only one destination d v , i.e. p v d = 1 for 
some d v € A. 

LEMMA 3.4. A maximum of E[^>\X D (u) = d] over (p v ) V7 t u must occur when, for all 
v u, there exists some d v € A such that p'f = 1. 

PROOF. Take some user v u and two destinations e, / € A. Assign arbitrary prob- 
abilities inp 1 ’ to all destinations except for /, and let £ = 1- fPs ■ Then p'j, = Q—pf 
Consider E[^\X D (u) = d] as a function of p'f The terms U of Equation 1 that correspond 
to any fixed S and A 0 are of the following general form, where c\,c l 2 , c\, c\, c\, c l 6 > 0: 

t _ (cjPg + 4(C ~P V e)+ 4) 2 
c 4Pe + c U(~Pe) + 4 

This is a convex function of p v e : 

D 2 , = 2(c|(4 - 4) + 4(4 c + 4) - c\(4 c + c|)) 2 

(4(C-^) + c|Pe+4) 3 “ ' 

The leading two terms of h\ y \>\X o(u) = d] are constant in p v , and the sum of con- 
vex functions is a convex function, so E[^>\Xd{u) = d] is convex in p" . Therefore, a 
maximum of E[^>\X d (il) = d] must occur whenp^ G {0, 1}. □ 

Order the destinations d = d \, . . . , d|A| such that p d _ > p'f for i > 1. The following 
lemma shows that we can further restrict ourselves to distribution vectors in which, 
for every user except u, the user either always chooses d or always chooses d|A|- 

LEMMA 3.5. A maximum of E[^\X d (u) = d] must occur when, for all users v, either 

P v dl = 1 °r Pd ]Al = 1- 

PROOF. Assume, following Lemma 3.4, that (p v ) v ^ u is an extreme point of the set 
of possible distribution vectors. 

Equation 1 groups configurations first by the set S with unobserved inputs and sec- 
ond by the observed destinations A 0 . Instead, group configurations first by S and sec- 
ond by the set T C S with observed outputs. Because every user except u chooses a 
destination deterministically, T only depends on the sets S and T. Let T , (.S', 7’) be this 
value. 


E[^\X d {u) = d\ = 6(1 - b)p d + b 2 + 

E S :^ET:rc4 n - |S| + |T| (l-&) 2|S|r|r ^l(S^)- 


(4) 
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Select two destinations d n , d 3 , 1 < i < j. We break up the sum in Equation 4 and 
show that, for every piece, the sum can only be increased by changing ( p v ) v so that any 
user that always chooses di always chooses d :l instead. 

Fix S C U such that u G S. Let S t , Sj C S be such that p a d = 1 if and only if s G .S',; , 
and p s d , = 1 if and only if s G Sj. Fix V C S\Si\Sj and some t > \T'\. 

Let f(S,T') be the sum of terms in Equation 4 that are indexed by S and some T 
such that |T| = t and T D V . To calculate f(S,T'), group its terms by the number t di 
of users v in T such that Xd(v) = d t . Let t e be the number for these terms of users v in 
T' such that X D (v) =e,eG A\{d l , dj}. The number t d . of users v such that X D (v) = dj 
for these terms is then t - J2 e eA -d te- number of users v in S — u such 

that X D [v) = e. The number of terms in f(S,T ') with a given t d/ is then 




For each of these terms, 'Ll is the same. To calculate it, let fs be the number of con- 
figurations that yield the given S and (t e )esA and are such that us output is observed 
with destination 5: 


fs(t di ) 



and let f 0 be the number of configurations that yield the same S and (t e ) e£ a and are 
such that us output is unobserved: 


= n 


eSA 


Then the posterior probability given S and (t e ) e6 a is 

Pd (fd(t di ) + fp(t di )) 

'EseAPsMtdi) + fo(t di )' 


Therefore, letting m = t - J2 e e A\{d itdj } 


f(S, T') =b n ~\ s]+t ( 1 - &) 2|s| -‘ 



P d (fd(t di ) + fo(t di )) 
T.seAPsfstfdi) + fo{tdiY 


The binomial coefficients of fs and f 0 in the numerator and denominator largely 
cancel, and the whole expression can be simplified to 

f( 9 T 1 ) — V' ( Sdi \( Sdj ^ (sdj + 1 - td^js^ + 1 - m + t di ) 
a t ^\t di )\jn-t di ) f P di (sdi + l)(s dj + 1 - m + t di )+ 

Pdji S dj + l)(Sdi + 1 — td,) + 

\ (s di + 1 - t di ){s dj + 1 -m + t di )f} 


for some a, /3 > 0. 

This can be seen as the weighted convolution of binomial coefficients. Unfortunately, 
there is no obvious way to simplify the expression any further to find the maximum as 
we trade off s di and s d . There is a closed-form sum if the coefficient of the binomial 
product is a fixed-degree polynomial, however. Looking at the coefficient, we can see 
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that it is concave. 

_ {s di +l-t di )(s dj +l-m+t di ) 

° td i ~ P di (srfj -fttKsdj ! 1 )+P d . («<q +l)(»d i )+( s d 4 + 1 ~td i )(,s dj +1 -m+t d . )/3 ‘ 

/ 2 ((sdi + l)(sdj + 1)(2 + Sdi + s dj — m) 2 p di p d .+ 

_ \K( s di +!)(sd, +l + *di -m) 3 p%. + (s d . +l)(sdi + l-^) 3 Pd,.)) 

Ctd i ((sdj +i+td i —m)(b(sd i + l-td t )+P di ( s d i +l)) + (sdj +l)(sd i +l—td i )p dj ) 3 

<0. 

We can use this fact to bound the sum above by replacing c td . with a line tangent at 

some point i 0 . Call this approximation /. Holding s di +Sd j constant, this approximation 
is in fact equal at s di = 0 because the sum has only one term. Then, if s di = 0 still 
maximizes the sum, the theorem is proved. Let d = D t c td I _ . . 

0 a i a i I td- — *o 


m / \ / \ 

f(S,T') < Y. (j)(m’-\) (C '‘« ( ‘*“ io) + C ‘" ) 


t di — o 

' Sdi + s d. 

m 

= f{S, T'). 


/ s di / . 
Ci ° +Ci ° Sdz+Sdi Ci ° 10 


The linear approximation will be done around the point i 0 = m- Sdi/{sdi + s dj j . This 
results in a simple form for the resulting approximation, and also the mass of the 
product of binomial coefficients concentrates around this point. Set v — Sdi + s dj to 
examine the tradeoff between s di and s d] ■ 


( ((v - s di )(v - m) + v){{s di + 1 )v -m - s di ) 

\m) ( p u d v{sdi + t)((^ - s di )(v - m) + v)+ 

Pd j v ( v - + 1 )( u + s di {v ~m))+ 

\ /3((s di + 1 )v-m- S di )((y - s di ){v - m) + v) 

Lemma A.l in the Appendix shows that / is convex in s di . Thus, the maximum of / 
must exist at s di = 0 or s di = v. Observe that when s di = 0, 

v \ 1 — in + v 

m) p dj ( 1 + v)+ /?(1 -m + v) +p di ( 1 — m + v) 

and when s di = v 

f _ ( v \ 1 — m + v 

\my p dj { 1 - m + v) + fi(l - m + v) +p di ( 1 + v) ' 

Therefore, because p di > p dj , f is larger when s di = 0. As stated, this implies that / 
itself is maximized when s di = 0. 




□ 

Therefore, in looking for a maximum we can assume that every user except u either 
always visits d or always visits d| A |- To examine how anonymity varies with the num- 
ber of users in each category, we derive an asymptotic estimate for large n. A focus 
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on large n is reasonable because anonymity networks, and onion routing in particular, 
are understood to have the best chance at providing anonymity when they have many 
users. Furthermore, Tor is currently used by an estimated 500,000 people. 

Let a = {v ^ u : p d = 1 }/(n — 1) be the fraction of users that always visit d. The- 
orem 3.6 gives an asymptotic estimate for the expected posterior probability given a 
constant a. It shows that, in the limit, the maximum expected posterior probability is 
obtained when all users but u always visit d or when they always visit d| A |- 

THEOREM 3.6. Assume that, for all v u, either p d = lor p^ |A| = 1. Then, if a = 0, 


EmX D {u) = d} = 6(1 - b )p u d + b 2 + (l-b)^b+ + O 

if 0 < a < 1 

Emx D (u) =d\ = 6(1 - b)p u d + b 2 + (1 - b) l b + ^ b + pUd b + o | 

and, if a - 1, 


log In) 
n 



E{*\X d (u) = d] = 6(1 - b)p u d + b 2 + (l- b) 1 _* d + + O 


log (n) 


PROOF. Letn e = a(n— 1) and = (1 — a)(n — 1). The expected posterior probability 
can be given in the following variation on Equation 4: 

E[y\X D (u) = d\ = 6(1 - b)p d + b 2 + (1 - 6)- 

Uf 


E 

e— 0 
/ 

E 

3=0 


/= 0 


(1 - 6) e 6" e_e ( ? yj (1 - b) f b n f~ f - 


(5) 


V(l-b) f ~ j J2 

k—0 


b k (l — 6) 


e—k 


[b^ 2 {e,f,j,k + 1) + (1 - 6)4' 2 (e, f,j, k)] . 


Here 'Me, f,j, k) is the value of T when the users with unobserved inputs consist of 
u, e users v f u with p v d — 1, and / users v ± u with p d ^ = 1; and the users with 

unobserved inputs and observed outputs consist of k users v with X D (v) = d and j 
users v with X D (v) = d| A |- Given such a configuration, the number of indistinguish- 
able configurations in which u has observed destination d is ( fe ® J ('■), the number of 
indistinguishable configurations in which u has observed destination Ml is (fc)G-l)' 
and the number of indistinguishable configuration in which u has an unobserved des- 
tination is (®) (l). Thus, we can express 'F 2 as 


^2 (e,f,j,k) = 


PdL- i)(f) +Pd(t)( f i) 


Pd(k- l)(f) +Pd, AI (fc)(i- 1) + (fc)({) 


The binomial coefficients largely cancel, and so we can simplify this equation to 


M e > f,j,k ) 


Pd( e + l)(/~ 3 + !) 

PdHf ~j + 1) +Pd |A| i(e -k+l) + (e-k + 1 )(/ -j + 1) ' 
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We observe that j and k are binomially distributed. Therefore, by the Chernoff 
bound, they concentrate around their means as e and / grow. Let // 1 = fb be the mean 
of j and // 2 = eb be the mean of k. We can approximate the tails of the sums over j and 
k in Equation 5 and sum only over the central terms: 

E[*\X d {u) =d\ = 6(1 - b)p u d + 6 2 + 

(! - b) £ f ) (1 - b) e b n °- e £ (7 ) (1 - bYb^-f- 

e — 0 ' ' f = 0 ' ^ ' 

O (exp(— 2ci)) + O (exp(— 2 c 2 )) + 

£ ((W-fp-’ £ LVa-i-rd 

j:\j~Hl\<VciJ k:\k- n 2 \<s/&Ie 

( b'f> 2 {e,f,j,k + 1) + (1 - 6)T 2 (e,/,j, A:)) . 


As j and k concentrate around their means, \I/ 2 will approach its value at those 
means. Let 


ei(j,k,u) = \H 2 (e, f,j, k + u) - ^ 2 (e, /,qi,q 2 + u) 

be the difference of \J/ 2 from its value at // 1 and // 2 + u, where u € {0, 1} indicates if us 
output is observed. 

d> 2 is non-increasing in j and is non-decreasing in k : 


(l + e)(l + /)(l + e-fc)^ |A| ^ 

f (! + /)(! + e — k)p u dw + 

V C 1 + / - J ~ u)(Pd( e + 1) + (1 - Pd - Pd l& ,)(! + e - k)) 

< 0 . 


(1 + e)(l + / - j)p u d {P U d w (! + /) + (!- Pd ~ Pd ^ ,)( 1 + / - j)) 

( Y + f)Y + e-k-u)p % { A |+ \ 2 

V (! + / - i)((! + e )Pd + (1 + e-k- u)( 1 - - P^ |A| )) J 


Because the signs of these derivatives are constant, the magnitude of e\ is largest 
when j and k are as large or as small as possible. We can therefore bound the magni- 
tude of £1 with 


max 

o-e{-i,i} 

«e{o,i} 


( £ 1 (pi + a\[cY], P 2 + uj 


= max 
<^€{-1,1} 
uS{0,l} 


H' 2 (e, /, Pi + <t yfcif j p 2 + 0 'v / C 2 e + u) 


= o(vW7) +o(v^) , 


^2(e, /,pi,p 2 + u) 
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where the second line follows from a simple expansion of 'lO according to Equation 3.2. 
We use this estimate to approximate the value of 4^: 

^2 (e,f,j,k + u) = ^ 2 (e,/,Mi)M2 + u) + e 1 (j,k,u) 

= ^(e, /> 1*1! P2 + u) + O (vW 7 ) + O ^\/ c 2 / . 


We set ci = log(/)/4 and c 2 = log(e)/4, and then Equation 6 becomes 
E[V\X D (u) =d} = 6(1 - 6)p^ + 6 2 + 

We / \ n f / \ 

(! - 6 ) £ ( 6 ) (! - E ( / ) (! - 

e=0 V e ' /— 0 V 7 ' 

r (7) 

6^2 (e, /, pi, p 2 + 1) + (1 - 6)4' 2 (e,/,pi,p 2 )+ 

O (\/iog (/)//) + O (\/log(e)/e) . 


e and / in this expression are binomially distributed. Let q 3 = n e (l — 6) be the mean 
of e and /i 4 = n/(l — 6) be the mean of /. By applying the Chernoff bound to the sum 
over e, setting the tails to start at min (6. 1 — b)n e /2 from p 3 , we can see that 

Er; K 1 - &) e & n -~ e E 7 (1 - b) f b n '- f o (ivi) = o (v^wk) . 

e=0 ' ^ / = o \ J / 

We can similarly show that 

E (?) C 1 - b) e b n °- e £ ( 7 ) (1 “ (t/log(/)//) = O U\og (n f )/n f ) . 

e=0 ' 7 /=0 ^ 7 / V / 


For the remaining terms inside both sums, approximate the sums over e and / using 
the Chernoff bound by setting the tails to be those terms more than ,/c 3 n e from /i 3 and 
more than ^/c^nj from //, , , respectively. This yields 


E[*\X d (u) =d\ = 6(1 - b)p u d + b 2 + 

O {[log{n e )/n e )~ 1/2 ^j + O (( log(nf)/nf )~ 1/ 2 ) + O (e _2c3 ) + O (e _2c4 ) + 

(1-6) e E ( n /)( 1 - 6 ) /6 " /_/ - 

e:|e-M3l<V c 3"e /:|/-At 4 |<V c 4«/ 

[ 64 ' 2 (e, /, pi, q 2 + 1) + (1 - 6)W 2 (e, /,pi,/u 2 )] . 


As e and / concentrate around their means, T2 will approach its value at those 
means. Let 


£2 (e, /,u) = T 2 (e,/,pi,p 2 +u) - ^ 2 (p 3 , /x 4 , qi, p 2 + u) 
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be the difference of 'f 2 from its value at e = p 3 and / = p 4 , u € {0, 1}. \l/ 2 (e, /, / t| . ) in 

non-decreasing with respect to e: 


£> e ^2(e,/,Pl,p 2 ) = 


(i + (i - b)f)bp u d ((f + 1)(1 - P3) - /b(i - - Pd |A , )) 

/(l + (l-6)/)(l + (l-6)e)+' 

(l + (l-6)/)(6e)pS+ 

\ fo /(! + (1 - &)e + u)p% u 


■|A| 


> 0. 


*f> 2 (e, /, pi, p 2 + 1) is non-increasing with respect to e: 

(1 + (1 - &)/)(! - 6)pS(/6(l - pS, a , - PS) -(/ + !)(!- p^)) 


D e ^ 2 {e,f,n i,p 2 ) = 


/((l-6)/)(l + (l-6)e)+ 
(l + (l-6)/)(6e+l)p^+ 

V 5 /((! - b ) e )Pd, A| 


< 0. 


*f> 2 (e, /, pi, p 2 + u), u e {0, 1}, is non-increasing with respect to /: 

-6(l + e)(l + (l-6)e + u)p^ N 

Df'S 2 (e, /,pi,p 2 + «) = 


(1 + (1 — b)f)(l + (1 — b)e + u)+ 
(l + (l-6)/)(6e + u)p^+ 

&/(l + (1 - &)e + u)p^ 


< 0. 

Therefore, the magnitude of e 2 is largest when e and / are as large or as small as 
possible. We can therefore estimate the magnitude of e 2 with 

max (|e 2 (p 3 + cr^/c 3 n e , p 4 + oJctfif, u) I) . 

<re{— 1,1} Vl v 7 17 

«e{o,i} 


If n e , iif 7^ 0 , 

£2 (p3 + cry/c 3 n e ,H4 + cr 1 /c 4 n/,u) =\E , 2 (P3 + cr^/c 3 n e ,fi4 + cr^/c 4 n/,/xi,/x 2 + «)- 

W 2 (a^3, M4, P2 +«) 

=0 (^Jc 3 /n^j + O (^Jc4/n.f^j . 

If n e = 0 , which occurs when a = 0 , 

£2 (0, p 4 + <7 sjc4rif, U ) = *2(0, p 4 + & \JC4Tlf , Hi ,u) - tf 2 ( 0 , /X4, Pi, u) 

= 0 ■ 

If rif = 0 , which occurs when a = 1 , the final term becomes 

£2 (P3 + v^c 3 n e , 0 , u) = \H 2 (p 3 + t Ty/c 3 n e , 0 , 0 , p 2 + u) - ^2(^3, 0 , 0 , p 2 + u) 

= O (\/c 37 «e) • 

These asymptotic estimates of e 2 follow from a simple expansion of v h 2 according to 
Equation 3 . 2 . 
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We use these estimates to approximate the value of 'J' 2 as e and / grow: 


^ 2 (e,/,pi,/i 2 +u) 


^' 2 (a*3,M4,M1)M2 +u)+£ 2 (e,f,u) 

'&2{P3,IM,Pi,P2 +u) + 0 (V c 3 /n e ) + O (\Jc 4 /n f 


We set c 3 = log(n e )/4 and c 4 = log(n/)/4, and then Equation 8 becomes 


E[*\X d (u) =d] = 6(1 - b)p u d + 6 2 + 

(1 - 6) [6T> 2 (m 3 ,M4,Mi,M 2 + 1) + (1 - 6)'h 2 (/4 3 ,/x 4 ,pi,p 2 )] + 

O ([log(n e )/n e )- 1/2 ^ + O (( log(n f )/n f )~ 1/ 2 ) . 


(9) 


Finally, we must estimate W 2 (/rr 3 , /x 4 , Mi, p 2 + u), u G {0, 1}. Assume that 0 < cr < 1 
and thus that n e = a(?x — 1) and n/ = (1 — a){n — 1) are both increasing with n. Then 


W 2 (At3, At4, Ml, /^ 2 + U) 


4 f 2 ((l — b)n e , (1 — b)nf, 6(1 — 6)n/, 6(1 — b)n e + u ) 
P d ( 1 - 6) 3 n e n/ + cin e + c 2 nj + c 3 
/ ((1 - 6) 4 + p u d (l - 6) 3 6 + p 3 |a| (1 - 6) 3 6)n e n/+ \ 
V c 4n e + c 5 nf + c 6 / 



+ 0(l/n e ) + 0(l/n/) + 0(l/(n e n/)), 


where ci, . . . , c 6 are some values constant in n e and n/. When a = 0, then n e = 0, and 
the estimate becomes 


^2(M3,M4, Ml) M2 + «) 


$ 2 (0, (1 — b)n.f, 6(1 - b)nf,u) 

Pd(! - b)n f +c i 

((1 - u)(l - 6) +p>(l - 6) +Pd |A| (l - u)b)n f + c 2 


Pdi 1 - b ) 

((1 - u)(l - 6) +p d u(l - 6) +p“ A| (l 


u)b) 


+ 0(l/n f ), 


where ci, c 2 are some values constant in nf. When a = 1, then n/ = 0, and the estimate 
becomes 


^2^3, M4, Ml, M2 + «) 


T 2 ((l - 6)n e , 0, 0, 6(1 - b)n e + u) 
Pd n e + Cl 

((1 - 6) + p d b)n e + c 2 


Pd 

1 - b + p d b 


0(l/n e ), 


where ci, c 2 are some values constant in n e . 

Inserting these estimates for \E' 2 (/x 3 ,M4,Mi ) M 2 + M ) into Equation 9 yields the theo- 
rem. □ 


It follows from this theorem that the worst case anonymity over user distributions 
occurs either when all users always visit d|A| or when all users always visit d. 

COROLLARY 3.7. lim re ^ in f E['f/\X D (u) = d] is maximized either at a = 0 or at a = 1. 
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PROOF. The case a = 1 is larger in the limit than the case where 0 < a < 1, by 
Thm. 3.6, because 


□ 


Pd 


< 


Pd 


1 - b + p u d b + p u d]& b 1 -b + y u d b' 


The case a = 1 is the worst case only when 

> (1 ~ b)(l ~ Pd) 2 
d|A1 “ p%(l + b)-b ' 

This happens when > 1/2 and p d ^ is near 1 — p/. That is, if the user is likely to 
visit d and the other users can’t distinguish themselves too much, then it is worst to 
have them always visit d because the adversary will blame u. 

However, we would expect p d to be small because it is at most 1/|A|. In this case 
the worst-case limiting distribution has a = 0, that is, it is worst when the other 
users always act very different from u by visiting d| A |. Then the expected assigned 
probability is about b + (1 - b)p d . This is equal to the lower bound on the anonymity 
metric when the adversary controls a fraction \fb of the network. 


4. TYPICAL DISTRIBUTIONS 

It is unlikely that users of onion routing will ever find themselves in the worst-case sit- 
uation. The necessary distributions just do not resemble what we expect user behavior 
to be like in any realistic use of onion routing. Our worst-case analysis may therefore 
be overly pessimistic. To get some insight into the anonymity that a typical user of 
onion routing can expect, we consider a more realistic set of users’ destination distri- 
butions in which each user selects a destination from a common Zipfian distribution. 
This model of user behavior is used by Shmatikov and Wang [2006] to analyze relation- 
ship anonymity in mix networks and is motivated by observations that the popularity 
of sites on the web follows a Zipfian distribution. 

Let each user select his destination from a common Zipfian distribution p: p d . = 

l/(pi s ), where s > 0 and /< = l/* s - If turns out that the exact form of the distri- 

bution doesn’t matter as much as the fact that it is common among users. 

Theorem 4.1. When p v = p w , for all v, w e U, 

E[*\X d (u) = d]=b 2 + ( 1 - b 2 )p u d + 0(l/n) 

PROOF. Let p be the common destination distribution. The expected assigned prob- 
ability can be expressed as: 


E[*\X d {u) = d]=b 2 + 6(1 - b)p u d + 


S= 1 


t = 0 


a - b) J2 & n-a (i - £(! - by-w ( n s J ) • 


5—1 

t- 1 


£ JJpa.’LiO, A) 

AeD t :A 1 =di=2 


5—1 


£ n pa, ^(s, a) 


A S-D* i=l 


. (10) 


Here, s represents the size of the set of users with unobserved inputs, t represents 
the size of the subset of those s users that also have observed outputs, A represents 
the t observed destinations, and T|(.s, A) is the posterior probability. In this situation, 
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4' is unambiguous given s and A. Let A d = \{x G A : x = d}|. il/4 can be expressed 
simply as: 


* 4 (s,A) 


A d {s - 1)I A I” 1 + p d (s - 1) |A| 
S I A I 

(A d +Pd(s - t))/s. 


The sum 

t 

Y Y[ p Ms,a) 

Aen t :Ai=di=2 

in Equation 10 calculates the expectation for 'f 4 conditioned on s and t. The expression 
for 't | shows that this expectation depends linearly on the expected value of A d . A d ’s 
expectation is simply 1 +p d (t — 1), because one destination in this case is always d, and 
each of the other t — 1 is d with probability p d . The sum 


Y UpMs,A) 

A6D‘ i = 1 


in Equation 10 similarly depends linearly on the expectation of A d , which in this case 
is p d t. 

With these observations, it is a straightforward calculation to show that the sum 
over f in Equation 10 is simply 


b Pd(s - 1 ) + 1 
s 


+ (1 - b)p d . 


We insert this into Equation 10 and simplify: 

E[^\X d (u) = d] =b 2 + 6(1 - b)p u d + 


(l-b)Yb n - s (l-b) s 


/n-!\ 

lp d (s~l) + l ] 

U-v 

U 1 V 1 u )Pd 

S 


=6 2 + 6(1 - b)p d + 


(1-6) 


b\Pd 


(i-p d )(i-(i-6r+ i ) 


b(n + 1) 


(1 - b)p d 


=6 2 + (1 — b 2 )p d + 0(l/n). 


□ 


Our results show that the expected value of the anonymity metric is close to b 2 + (1 — 
b 2 )p d for large populations, which matches the lower bound shown in Thm. 3.3. This 
fact also justifies somewhat using a simple analysis that does not take into account the 
effect on anonymity of the behavior of the whole user population. 


5. RELATED WORK 

Ours is not the first formalization of anonymous communication. Early formalizations 
used communicating sequential processes [Schneider and Sidiropoulos 1996], graph 
theory and possible worlds [Hughes and Shmatikov 2004], and epistemic logic [Syver- 
son and Stubblebine 1999; Halpern and O’Neill 2005]. These works focused primarily 
on formalizing the high-level concept of anonymity in communication. For this reason, 
they applied their formalisms to toy examples or systems that are of limited prac- 
tical application and can only provide very strong forms of anonymity, e.g., dining- 
cryptographers networks. Also, with the exception of Halpern and O’Neill [2005], they 
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have at most a limited ability to represent probability and probabilistic reasoning. We 
have focused in [Feigenbaum et al. 2007] on formalizing a widely-used, practical, low- 
latency system. 

Halpern and O’Neill [2005] give a general formulation of anonymity in systems that 
applies to our model. They describe a “runs-and-systems” framework that provides 
semantics for logical statements about systems. They then give several logical defini- 
tions for varieties of anonymity. It is straightforward to apply this framework to the 
network model and protocol that we give in [Feigenbaum et al. 2007]. Our possibilistic 
definitions of sender anonymity, receiver anonymity, and relationship anonymity then 
correspond to the notion of “minimal anonymity” as defined in their paper. The other 
notions of anonymity they give are generally too strong and are not achieved in our 
model of onion routing. 

Later formalizations of substantial anonymous communication systems [Camenisch 
and Lysyanskaya 2005; Mauw et al. 2004; Wikstrom 2004] have not been directly 
based on the design of deployed systems and have focused on provability without spe- 
cific regard for applicability to an implemented or implementable design. Also, results 
in these papers are for message-based systems: each message is constructed to be pro- 
cessed as a self-contained unit by the appropriate router, typically using the generally 
available public encryption key for that router. Such systems typically employ mixing, 
changing the appearance and decoupling the ordering of input to output messages at 
the router to produce anonymity locally [Chaum 1981]. Onion routing, on the other 
hand, is circuit based: before passing any messages with user content, onion routing 
first lays a circuit through the routers that provides those routers the keys to be used 
in processing the actual messages. Mixing can be combined with onion routing in var- 
ious ways [Reed et al. 1998], although this is not typical [Dingledine et al. 2004]. Such 
circuit creation facilitates bidirectional, low-latency coommunication and has been an 
identifying feature of onion routing since the first public use of the phrase [Goldschlag 
et al. 1996]. Thus, while illuminating and important works on anonymous communica- 
tion, the formalizations above are not likely to be applicable to low-latency communi- 
cations, and, despite the title of [Camenisch and Lysyanskaya 2005], are not analyses 
of onion routing. 

Circuit construction has been done in various ways throughout the history of onion 
routing. In the first version of onion routing [Goldschlag et al. 1996], and other early 
versions [Reed et al. 1998; Goldberg and Shostack 2001], after a user selects a sequence 
of onion routers from a publicly-known set, the user then creates a circuit through this 
sequence using an onion, a data structure effectively composed only of layers with 
nothing in the middle. There is one public-key-encrypted layer for each hop in the 
circuit, the decryption of which contains the identity of the next hop in the circuit (if 
there is one) and keying material for passing data over the established circuit. In later 
protocols, such as used in Cebolla [Brown 2002] and Tor [Dingledine et al. 2004], the 
circuit is built via a telescoping protocol that extends the circuit hop-by-hop, using the 
existing circuit for each extension. For all of these, each hop only communicates with 
the routers before and after it in the sequence, and the messages are encrypted once for 
each router in the circuit so that no additional information leaks about the identities of 
the other routers or the destination of the circuit. Cryptographic techniques are used so 
that message forgery is countered. Some later designs returned to the non-interactive 
circuit construction of the original [0verlier and Syverson 2007; Kate et al. 2007]. It is 
trivial to see that all of these fit directly within our model. 

Some versions of onion routing, such as those that do iterative discovery of onion 
routers via a DHT [Freedman and Morris 2002; Mittal and Borisov 2009; McLachlan 
et al. 2009], will not fit within our model without some extensions that we do not pur- 
sue herein. This is because the probability of first-last router choice and router com- 
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promise within a circuit can no longer be assumed to be independent. Some anonymity 
protocols that do not use onion routing may nonetheless also fit within our model, 
appropriately extended. For example, in Crowds [Reiter and Rubin 1998], the adver- 
sary can learn from observing the first and last routers, but the connection to the first 
router does not automatically identify the source. On the other hand the destination is 
always known to every router in the circuit. The probability that an observed circuit 
predecessor is the source can thus be combined with the observed destination and the 
a priori source-destination probability distribution. 

In this paper, we add probabilistic analysis to the framework of [Feigenbaum 
et al. 2007]. Other works have presented probabilistic analysis of anonymous com- 
munication [Reiter and Rubin 1998; Shmatikov 2004; Wright et al. 2004; Danezis 
2003; Danezis and Serjantov 2004; Mathewson and Dingledine 2004; Kesdogan et al. 
1998] and even of onion routing [Syverson et al. 2000]. The work of Shmatikov and 
Wang [2006] is particularly similar to ours. It calculates relationship anonymity in 
mix networks and incorporates user distributions for selecting destinations. However, 
with the exception of [Shmatikov 2004], these have not been formal analyses. Also, 
whether for high-latency systems such as mix networks, or low-latency systems, such 
as Crowds and onion routing, many of the attacks in these papers are some form of 
intersection attack. In an intersection attack, one watches repeated communication 
events for patterns of senders and receivers over time. Unless all senders are on and 
sending all the time (in a way not selectively blockable by an adversary) and/or all re- 
ceivers are receiving all the time, if different senders have different receiving partners, 
there will be patterns that arise and eventually differentiate the communication part- 
ners. It has long been recognized that no system design is secure against a long-term 
intersection attack. Several of these papers set out frameworks for making that more 
precise. In particular, [Danezis 2003], [Danezis and Serjantov 2004], and [Mathewson 
and Dingledine 2004] constitute a progression towards quantifying how long it takes 
(in practice) to reveal traffic patterns in realistic settings. 

We are not concerned herein with intersection attacks. We are effectively assuming 
that the intersection attack is done. The adversary already has a correct distribution 
of a user’s communication partners. We are investigating the anonymity of a commu- 
nication in which a user communicates with one of those partners in the distribution. 
This follows the anonymity analyses performed in much of the literature [Kesdogan 
et al. 1998; Mauw et al. 2004; Reiter and Rubin 1998; Syverson et al. 2000], which 
focus on finding the source and destination of an individual communication. Our anal- 
ysis differs in that we take into account the probabilistic nature of the users’ behavior. 
Probabilistic anonymity metrics used previously include, when applied to our situa- 
tion, the probability assigned to the correct destination [Reiter and Rubin 1998], the 
entropy of the destination distribution [Diaz et al. 2002; Serjantov and Danezis 2002], 
and maximum probability within the destination distribution [Toth et al. 2004], where 
the distribution in each case is a conditional distribution given the adversary’s view. 

We expect this to have potential practical applications. For example, designs for 
shared security-alert repositories to facilitate both forensic analysis for improved se- 
curity design and quicker responses to widescale attacks have been proposed [Lincoln 
et al. 2004]. A participant in a shared security-alert repository might expect to be 
known to communicate with it on a regular basis. Assuming reports of intrusions, etc., 
are adequately sanitized, the concern of the participant should be to hide when it is 
that updates from that participant arrive at the repository, i.e., which updates are 
likely to be from that participant as opposed to others. 
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6. CONCLUSIONS AND FUTURE WORK 

We expect each user of an anonymity network to have a pattern of use. In order to 
make guarantees to the user about his anonymity, we need to take this into account 
when modeling and analyzing the system, especially in light of previous research that 
indicates that an adversary can learn these usage patterns given enough time. 

We perform such an analysis on onion routing. Onion routing is a successful design 
used, in the form of the Tor system, by hundreds of thousands of people to protect their 
security and privacy. But, because it was designed to be practical and because theory 
in this area is still relatively young, the formal analysis of its privacy properties has 
been limited. 

We perform our analysis using a simple black-box model in the UC framework. 
We justify this model by showing that it information-theoretically provides the same 
anonymity as the onion routing protocol formalized by Feigenbaum et al. [2007] and by 
recognizing that it can be UC-realized. Furthermore, it should lend itself to the anal- 
ysis of other anonymity protocols expressed within the UC framework. We investigate 
the relationship anonymity of users and their destinations in this model and measure 
it using the probability that the adversary assigns to the correct destination of a given 
user after observing the network. 

Our anonymity analysis first shows that a simple, standard approximation to the 
expected value of the anonymity metric provides a lower bound on it. Then we consider 
the worst-case set of user behaviors to give an upper bound on the expected value. We 
show that, in the limit as the number of users grows, a user’s anonymity is worst 
either when all other users choose destinations he is unlikely to visit, because that 
user becomes unique and identifiable, or when that user chooses a destination that all 
other users prefer, because the adversary mistakes the group’s choices for the user’s 
choice. This worst-case anonymity with an adversary that controls a fraction b of the 
routers is comparable to the best-case anonymity against an adversary that controls a 
fraction \/b. 

The worst case is unlikely to be the case for any users; so we investigate anonymity 
under a more reasonable model of user behavior suggested in the literature. In it, users 
select destinations from a common Zipfian distribution. Our results show that, in this 
case and in any case with a common distribution, the expected anonymity tends to the 
best possible, i.e. the adversary doesn’t usually gain that much knowledge from the 
other users’ actions. 

Our anonymity analysis provides some justification for the non-rigorous analysis 
that is typically used with onion-routing security. However, it also shows that, in the 
worst case, user behaviors can interact to degrade anonymity to a surprising degree; 
therefore, in unusual situations this factor should be taken into account. 

Future work includes extending this analysis to other types of anonymity (such 
as sender anonymity), extending it to other anonymity networks, and learning more 
about the belief distribution of the adversary than just its mean. A big piece of the 
attack we describe is in learning the users’ destination distribution, about which only 
a small amount of research, usually on simple models, has been done. The speed with 
which an adversary can perform this stage of the attack is crucial in determining the 
validity of our attack model and results. 

In response to analyses such as that of 0verlier and Syverson [2006], the current 
Tor design includes entry guards by default for all circuits. Roughly, this means that, 
since about January 2006, each Tor client selects its first onion router from a small set 
of nodes that it randomly selects at initialization. The rationale is that communication 
patterns of individuals are what need to be protected. If an entry guard is compro- 
mised, then the percentage of compromised circuits from that user is much higher. 
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But, without entry guards, it appears that whom that user communicates with and 
even at what rate can be fairly quickly learned by an adversary owning a modest per- 
centage of the Tor nodes anyway. If no entry guard is compromised, then no circuits 
from that user will ever be linked to him. However, if a user expects to be targeted 
by a network adversary that can control nodes, he can expect his entry guards ulti- 
mately to be attacked and possibly compromised. If the destinations he chooses that 
are most sensitive are rarely contacted, he may thus be better off choosing first nodes 
at random. How can we know which is better? Extending our analysis to include entry 
guards will allow us to answer or at least further illuminate this question. 

Our model also assumes that client connections to the network are such that the 
initial onion router in a circuit can tell that it is initial for that circuit. This is true for 
the overwhelming majority of traffic on the Tor network today, because most users run 
clients that are not also onion routers. However, for circuits that are initiated at a node 
that runs an onion router, a first node cannot easily tell whether it is the first node or 
the second — without resorting to other attacks of unknown efficacy, e.g., monitoring 
latency of traffic moving in each direction in response to traffic moving in the other di- 
rection. Thus, that initiating edge of the black box is essentially fuzzy. Indeed, this was 
originally the only intended configuration of onion routing for this reason [Goldschlag 
et al. 1996]. The addition of clients that do not also function as routers was a later inno- 
vation that was added to increase usability and flexibility [Reed et al. 1998; Syverson 
et al. 2000]. Similarly, peer-to-peer designs such as Crowds [Reiter and Rubin 1998] 
and Tarzan [Freedman and Morris 2002] derive their security even more strongly from 
the inability of the first node to know whether it is first or not. Thus, extending our 
model and analysis to this case will make it still more broadly applicable. 


A. APPENDIX 

Let / be as defined in Lemma 3.5. 

Lemma A.l. D 2 Sd f > 0. 

PROOF. Let i = s rf . and g = v — m for simplicity. Then 

2 {v + ig){v + {v-i)g) 

Pd.v{v + ig)( 1 — i + v) + (1 + i)plv{v - ig + vg) + + ig){y - ig + vg) ’ 

The second derivative of / can be expressed as 

& t = - 

Sd i J D ’ 

where 

N = - ^(2 (i + j)(-i - j + g) 

(-* 3 (Pd, ~ + 3)(Pdi + Pd j ) + Pp)+ 

$i 2 (i + j)g 2 (pi + pi + P u di g)((i + mi +pi)+ p g)~ 

3 i(i + + j)(Pdi +Pdj) + ftp) Pdj + Pdi (1 + A 4 ) 2 ) + 

(* + j) 3 ((* + i)(f’d i ) 2 (l + p) 3 + Pdj ((* + 3 )Pdj + Pp) + 

Pdi + p) 3 +Pdj (2 + p) (~i — j + 2p + (1 + * + ^ 
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and 

D = ^(i + j) 2 {Pd t + iPdi + Pdj + 3Pdj + P)+ 

( i + jWiPdi + P)+3 (Pd< + iPd, + iPd, + £))b + U/V) , 

substituting (i + j ) for v. D is clearly positive. Therefore we must just show that N is 
non-negative. 

We collect terms in N by the coefficients Pd , , Pd :i , and /3: 

2 Pdj/3{i + j)(i + j~ p)p{i +j + *b) 3 + 

2 Pdif3{i + j)(i + j - p)p(i +j + jpf+ 

2 (Pdfii + jfii + J ~ P)(i + J+ipf+ 

2(Pd i ) 2 (* + j) 2 {i + j ~ b)(* + j + jpf+ 

2. Pd,Pd 3 (« + j) 2 (* + j ~ b) (* + j) (2 + p) ■ 

(i 2 (—1 + p 2 ) + j (p(2 + p) + j (—1 + p 2 )) + i (b( 2 + p) — j (2 + A <2 ))) • 

The coefficients of the terms in p di and p dj are clearly positive because i + j = v > 

v — m = p. 

If we collect the remaining terms by i and j, we get 

* 3 ((Pdf + (<) 2 (1 + b) 3 (-2 - b + 2b 2 + b 3 )) + 

J 3 ((<) 2 + (bd,) 2 ( 1 + b) 3 +bd,<. (-2 - b + 2b 2 + b 3 )) + 
i^PdiPdj b(2 + b) 2 + 

J 2 Pd i P'd j p{ 2 + b) 2 + 

2i JPd i Pd j l J '( 2 + b) 2 + 

((bd,) 2 (l + b) + (bd J ) 2 (l + b) 2 — PdiPdj (2 + b)) + 

3*J 2 ((bd,) 2 (l + b) + (bdj 2 (l + b) 2 — P'd i Pd j (2 + b)) • 

The coefficients for the i 3 and j 3 terms are clearly non-negative when p > 1. When 
b = 0, observe that the coefficients become (p’j. — p^.) 2 > 0. The coefficients for the i 2 , 
j 2 , and ij terms are also clearly non-negative. 

To show that the i 2 j term is non-negative, we use the fact that pd, and pd A are prob- 
abilities that sum to at most one. Let pd ;> — ( — Pd z , 0 < C < 1. Then the coefficient of i 2 j 
becomes a quadratic function of />,/, with positive second derivative. Its minimum is at 

4£ + 5Cb ~F 2Cb" 

Pd ‘ = 2(2 + b) 2 ' 

The coefficient evaluated at this point is 

C 2 b(8 + llb + 4b 2 ) 

4(2 + b) 2 ’ 

which is non-negative. Therefore, the whole i 2 j term is non-negative. 
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Similarly, for the ij 2 term, we look at its coefficient as a function of p,i, with p^. = 
C - Pdi ■ It is also a quadratic function with positive second derivative. Its minimum is 
found at 

4C + 

2(2 + /i) 2 ' 

The coefficient evaluated at this point is 

C 2 M(8 + p(ll+4p)) 

4(2 + n) 2 

which is non-negative. Therefore, the whole ij 2 term is non-negative. This implies that 
N is non-negative, and thus that D 2 d f is non-negative. □ 
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